[Filebeat] Sophos Module - support for changed field names

[bitnapper]

In Version 18.0.1 and 18.5.1 fileld names changed to device_serial_id, src_zone_type and dst_zone_type.

• Bug
• Enhancement

What does this PR do?

Some field changed in these versions:

• device_id -> device_serial_id,
• srczonetype -> src_zone_type and
• dstzonetype -> dst_zone_type.

Added rename processors for alls three. All identical to the former ones.

Also srczone and dstzone changed. But I could only find a remove processor and I'm not sure if they are preserved anywhere else. In my opinion they should be and in my use case they need to be so I did not add them to the remove processor.

[mergify]

This pull request does not have a backport label. Could you fix it @bitnapper? 🙏
To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

• backport-v./d./d./d is the label to automatically backport to the 7./d branch. /d is the digit

NOTE: backport-skip has been added to this pull request.

[elasticmachine]

❕ Build Aborted

The PR is not allowed to run in the CI yet

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Reason: The PR is not allowed to run in the CI yet

• Start Time: 2022-02-03T10:16:44.786+0000

• Duration: 6 min 19 sec

• Commit: 465d99c

🤖 GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

• /package : Generate the packages and run the E2E tests.

• /beats-tester : Run the installation tests with beats-tester.

• run elasticsearch-ci/docs : Re-trigger the docs validation. (use unformatted text in the comment!)

[elasticmachine]

Pinging @elastic/siem (Team:SIEM)

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[efd6]

@bitnapper Are you able to add a test file and its expect partner with these new field names?

[botelastic]

Hi!
We just realized that we haven't looked into this PR in a while. We're sorry!

We're labeling this issue as Stale to make it hit our filters and make sure we get back to it in as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1.
Thank you for your contribution!

[piellick]

Hi, we have this integration in our production, keep me informed if you need informations for troubleshooting.

[efd6]

@piellick Are you able to provide sanitised log lines that we could include as test input? (This would have to go through a PR to ensure CLA compliance).

[piellick]

@piellick Are you able to provide sanitised log lines that we could include as test input? (This would have to go through a PR to ensure CLA compliance).

Hi @efd6 give me your email and i will send it.

[andrewkroh]

This would have to go through a PR to ensure CLA compliance

@piellick Would you be able to open a PR to add some anonymized samples to https://github.com/elastic/beats/edit/main/x-pack/filebeat/module/sophos/xg/test/firewall.log? From that link you can paste in the logs and click to open a new PR.

[piellick]

hello @andrewkroh ,
i have posted a bunch of sophos firewall.log on this PR --> #31038
I hope it could help.

[andrewkroh]

Providing an update: We merged a fix for Sophos into the Fleet integration at elastic/integrations#2163. The next step is to sync that change back into Beats. That should fix the problem and we can close this PR and #31038.

[andrewkroh]

I've opened a PR to sync the Fleet integration into Filebeat so I'm going to close this one. #31388